‘Two-step’ solution locks out cyber thieves

By Claudia Buck

cbuck@sacbee.com

January 23, 2015 05:20 PM

UPDATED January 26, 2015 06:58 AM

Kristin Judge remembers vividly when the cyberattack occurred. One Saturday morning, she woke up to find more than 1,600 messages flooding her email account. Most were congratulatory, thanking her for signing up for a newsletter, everything from equine groups to shark research to business journals.

Baffled by the volume of messages from companies and nonprofits she’d never heard of, much less signed up for, Judge began meticulously scrolling through them until she found the culprit.

Buried deep in the hundreds of emails was one from PayPal, thanking her for ordering a new $540 iPad and telling her it would be shipped shortly. To an address in San Diego.

“That’s when I knew I was a victim,” said Judge, who lives in Ann Arbor, Mich. Someone had used her PayPal username and password to order the iPad, then hijacked her email address, spamming her with hundreds of sign-ups for online content. The intent, she said, was to effectively bury the real mischief: stealing out of her PayPal account.

Never miss a local story.

Sign up today for a free 30 day free trial of unlimited digital access.

Judge, 47, felt the issue personally and professionally. She’s now a program lead for the National Cyber Security Alliance, a public and private partnership, which is bringing a national awareness campaign to Sacramento this week. It’s the only California stop on a 20-city tour that started last year.

Funded partly by Google, the NCSA campaign is designed to alert consumers and businesses to simple steps they can take to lessen the chances of having their accounts hacked. The biggest emphasis is on “two-factor authentication,” which the NCSA calls “an overly technical-sounding term for a simple solution.”

“It’s basically a second step, another layer of protection on your online accounts that will keep the bad guys from getting in,” said Judge, who said it’s what she immediately did with her Facebook, Twitter, Google and PayPal accounts. She also alerted PayPal, which had not shipped the iPad and was able to cancel the purchase.

In many cases, particularly banks and financial institutions, the two-step option is already there, such as when you’re asked to fill out a security question about your dog’s name, your childhood school or your favorite movie title. But in other cases, the option for added security layer exists, but consumers don’t necessarily know about it.

The Two Steps Ahead campaign is designed to get consumers and businesses comfortable with fortifying the security on their own accounts. The website has step-by-step instructions for setting up the extra layer on popular social media and other platforms, such as Facebook, Google, HootSuite, LinkedIn, Microsoft Outlook, Tumblr, Twitter and Yahoo.

Here’s how two-step authentication typically works: Go to the settings site of your most-used online accounts. You enter a phone number or alternate email. When you want to access your account, you’ll get a verification code, either sent by email or texted to your phone, based on your choice. It’s a one-time only code. Once you enter it, along with your username and password, you’re logged in.

Essentially, it’s an additional technique to verify that the person trying to log onto your account is really you. In some cases, your iPhone fingerprint scan can provide the second layer of protection.

According to a 2014 Identity Fraud Study by Javelin Strategy & Research, account takeovers by fraudsters hit a new record in 2013, accounting for 28 percent of all identity fraud. The number of U.S. fraud victims reached 13.1 million, the second-highest number since the study began more than a decade ago. Additionally, the study noted, fraudsters turned to eBay, PayPal and Amazon to make purchases with their victims’ stolen information.

“We’re a pretty click-happy society, and people want it to be pretty easy,” said Judge. “But now, every day, we’re hearing about a huge new attack (like the Target or Sony intrusions) and people are asking: ‘How do I protect myself?’ There’s a little more interest in the topic.”

Gary Almond, president of the Better Business Bureau of Northeast California in Sacramento, will be one of the panelists at Thursday’s event. “A lot of people use very simplistic passwords, so if (cyber thieves) get simple information like an email address, they can effectively access your accounts.”

“We want to make people aware that they have choices,” said Almond. “Consumers are used to certain types of practices. They get set into those habits,” like using a simple login and password, for instance, to access their online accounts.

“But once they realize that with a little more effort they’re less likely to have their accounts taken over, it can do a lot protect the average everyday person from having their credit card or other accounts compromised.”

Comments

More Videos

This Lake Tahoe home is on market for $1.57 million

A Lake Tahoe home renowned for existing in harmony with nature is on the market for $1,574,000. The mountain retreat was dubbed “Phoenix House” by its original owner, architect Walt Harvey, who was a professor of architecture at Sacramento State. Harvey died in 2008.